Add RPC encryption key support

In the Ocata release, trove added support for encrypting the rpc communication between the guest instances and the control plane. These settings allow the user to specify installation specific keys versus using the default keys. This cherry pick includes: I4d34b7e68b69ce30ee1fb08e7495cd22fa157495 Change-Id: Ie42d754d58e983a15b553ad8a399813c9a700344
2017-03-23 15:36:24 -05:00 · 2017-03-23 15:36:24 -05:00 · 7a803e4946
parent c2e49084be
commit 7a803e4946
9 changed files with 64 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -109,7 +109,6 @@ trove_ssl_self_signed_regen: false
 trove_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"

 # Database vars
-
 trove_galera_database_name: trove
 trove_galera_user: trove
 trove_galera_address: "{{ internal_lb_vip_address }}"
@ -126,6 +125,19 @@ trove_rabbitmq_use_ssl: False
 trove_rabbitmq_port: 5672
 trove_rabbitmq_servers: "{{ rabbitmq_servers }}"

+# RPC encryption keys
+# See the Trove documentation as to the significance of the rpc encryption keys
+# Trove supplies default values but we enforce they not be left to their default values
+trove_enable_secure_rpc_messaging: "True"
+trove_required_secrets:
+  - trove_galera_password
+  - trove_rabbitmq_password
+  - trove_service_password
+  - trove_admin_user_password
+  - trove_regular_user_password
+  - trove_taskmanager_rpc_encr_key
+  - trove_inst_rpc_key_encr_key
+
 # Keystone AuthToken/Middleware
 trove_keystone_auth_plugin: password
 trove_service_project_domain_name: Default
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@ -17,7 +17,22 @@ Default variables
 Required variables
 ~~~~~~~~~~~~~~~~~~

-None.
+This list is not exhaustive at present. See role internals for further
+details.
+
+.. code-block:: yaml
+
+    # Service and user passwords
+    trove_galera_password:
+    trove_rabbitmq_password:
+    trove_service_password:
+    trove_admin_user_password:
+    trove_regular_user_password:
+
+    # Trove RPC encryption keys.
+    trove_taskmanager_rpc_encr_key:
+    trove_inst_rpc_key_encr_key:
+

 Dependencies
 ~~~~~~~~~~~~
--- a/extras/user_secrets.yml
+++ b/extras/user_secrets.yml
@ -1,6 +1,8 @@
---
-trove_galera_password:
-trove_rabbitmq_password:
-trove_service_password:
-trove_admin_user_password:
-trove_regular_user_password:
+---
+trove_galera_password:
+trove_rabbitmq_password:
+trove_service_password:
+trove_admin_user_password:
+trove_regular_user_password:
+trove_taskmanager_rpc_encr_key:
+trove_inst_rpc_key_encr_key:
--- a/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml
+++ b/releasenotes/notes/rpc-encryption-b75fb0d08579a7dd.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - In the Ocata release, Trove added support for encrypting the rpc
+    communication between the guest DBaaS instances and the control plane.
+    The default values for ``trove_taskmanager_rpc_encr_key`` and
+    ``trove_inst_rpc_key_encr_key`` should be overridden to specify
+    installation specific values.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -27,6 +27,14 @@
  tags:
    - always

+- name: Fail if our required secrets are not present
+  fail:
+    msg: "Please set the {{ item }} variable prior to applying this role."
+  when: (item is undefined) or (item is none)
+  with_items: "{{ trove_required_secrets }}"
+  tags:
+    - always
+
 - include: trove_pre_install.yml
  tags:
    - trove-install
--- a/templates/trove-conductor.conf.j2
+++ b/templates/trove-conductor.conf.j2
@ -10,6 +10,8 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t

 {# There must be a blank line above or the following line will be appended to the previous. #}
 control_exchange = {{ trove_control_exchange }}
+enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }}
+inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }}

 [profiler]
 enabled = {{ trove_profiler_enabled }}
--- a/templates/trove-taskmanager.conf.j2
+++ b/templates/trove-taskmanager.conf.j2
@ -8,6 +8,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t

 {# There must be a blank line above or the following line will be appended to the previous. #}
 control_exchange = {{ trove_control_exchange }}
+enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }}
+taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }}
+inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }}
+
 db_api_implementation = trove.db.sqlalchemy.api
 trove_auth_url = {{ trove_auth_url }}
 nova_compute_url = {{ trove_nova_compute_url }}
--- a/templates/trove.conf.j2
+++ b/templates/trove.conf.j2
@ -9,6 +9,10 @@ transport_url = rabbit://{% for host in trove_rabbitmq_servers.split(',') %}{{ t

 {# There must be a blank line above or the following line will be appended to the previous. #}
 control_exchange = {{ trove_control_exchange }}
+enable_secure_rpc_messaging = {{ trove_enable_secure_rpc_messaging }}
+inst_rpc_key_encr_key = {{ trove_inst_rpc_key_encr_key }}
+taskmanager_rpc_encr_key = {{ trove_taskmanager_rpc_encr_key }}
+
 db_api_implementation = "trove.db.sqlalchemy.api"
 trove_auth_url = {{ trove_auth_url }}
 os_region_name = {{ trove_service_region }}
--- a/tests/os_trove-overrides.yml
+++ b/tests/os_trove-overrides.yml
@ -31,6 +31,8 @@ trove_requirements_git_install_branch: master
 trove_service_password: "secrete"
 trove_regular_user_password: "secrete"
 trove_admin_user_password: "secrete"
+trove_taskmanager_rpc_encr_key: bzH6y0SGmjuoY0FNSTptrhgieGXNDX6PIhvz
+trove_inst_rpc_key_encr_key: emYjgHFqfXNB1NGehAFIUeoyw4V4XwWHEaKP
 trove_service_project_domain_id: default
 trove_service_project_name: service
 trove_service_region: RegionOne